The Easy-to-Miss Basics of Network Defense

Last month we released a paper on backdoor techniques which highlighted the importance of setting up your network properly to detect and block C&C communication. In this post, I will share some rules that IT administrators can proactively implement in order to set up “basic defense” for their network. I say basic here because these rules are not meant to cover all types of suspicious activity within the network — just some that I think are more likely to be missed.

Detect services that use non-standard ports

Popular protocols have default ports which are commonly use by applications or services. A service that runs a protocol but does not use a default port can be considered suspicious — this is a technique often used by attackers since default ports are usually monitored by security products. Similarly, it is also important to detect unknown protocols using standard service ports like 80(HTTP), 25(SMTP), 21(FTP), 443(HTTPS). Since IT admins cannot block the traffic due to services using the said ports, it is likely that attackers will use these for attacks. Since environments may vary from one to the other, it will be the IT administrator’s job to identify the protocols to be allowed, as well as to closely monitor traffic passing to these ports and make sure that it is what it’s expected to be.

Apart from this, it is also an important practice to close all unused ports in the environment. As we’ve learned in our past research on the techniques used by backdoors in targeted attacks, the port used is often dependent which ones are allowed in the network. Limiting the open ports to those used in the network will prevent attackers from taking advantage of them. Attackers can also take advantage of Network Time Protocol or NTP used for synchronizing time in the network and can be abused to launch distributed denial of service (DDoS) attacks.

Detect files with names that have suspicious attributes

One of the most basic tricks for enticing users to open malicious files is manipulating the file name to make the target think that the file they’re opening is harmless. Although it is impossible to determine the nature of a file based on the file name alone, there are several suspicious file attributes that IT administrators can take note of:

Files with too many spaces in the file name

Files with two or more file extensions (especially if the actual file extension is an executable)

Files with mismatched file type and extension (example: PE files that have extensions like “pif”, “bat”, or “cmd”)

Detect TOR node certificate and IP ranges

We’ve seen a lot of attacks adapt the ability to use TOR to anonymize their activity in order to make them untraceable or to make it difficult to catch the network traffic since it is fully encrypted. Finding this kind of activity in a network (unless TOR usage is expected) is a strong indicator of malicious activity and should be checked.

The easiest way to detect TOR traffic is through blacklisting TOR IP ranges. There are references available such as the lists in Proxy.org

Detect Suspicious HTTP Requests

Seeing critical data like account credentials in plain text in network packets is suspicious because such data are almost always encrypted by default. Seeing such is usually a sign of a malware or the attackers themselves trying to exfiltrate account details they’ve stolen from systems in the network. Examples of malware that we’ve seen do this are information stealers like SPYW_SATIFFE, TSPY_HCOREPWSTL, PWS.VB, and HKTL_PASSVIEW.

Like I mentioned earlier, these rules are not all-encompassing. There are a lot of other rules that IT administrators can implement their network to proactively protect it from threats. The key here, though, is being able to identify possible anomalies in the network, which can only be done if the network’s “normal” is defined as well.

Here are our other posts that aim to help IT administrators secure their network: